General Data Protection Regulation Policy

This Privacy Policy is intended to clarify all aspects regarding the protection and privacy of all data provided by you as client or supervisee at my private practice. I will endeavour to keep it updated as developments occur in relevant legislation. I am regarded as both a Data Controller and Data Processor as I gather, store and process data in my work as Counsellor and Clinical Supervisor.


1. Data Held.

At commencement of a new contract, clients and supervisees will be asked to complete a contact sheet and consent form, consenting to my holding of relevant personal data, as part of our contract of working together. This signed form will be held in a locked filing cabinet in my home. A copy of this form will be given to clients/supervisees. The form will hold relevant information including name, address, contact phone number, email address and either GP or emergency contact names and phone numbers. There are some further details for supervisees including accreditation, qualification and insurance.

This data will not be shared with any other party without their consent, unless there is a legal requirement or court order to do so, or where there is immediate risk of harm to them or to others.

This data will be held by me in paper form in a locked filing cabinet.

Personal data also includes anonymized Counselling session notes which will be stored in a locked filing cabinet. These notes will consist of a brief summary of some of the points from each appointment attended.

A record of appointments with supervisees will be typed but not stored on computer. A copy of these will be given to each supervisee for their own records.


2. Data Retention.

All personal data will be held by me for a period of 10 years from the date of our last sessions, in line with direction from the insurance company with whom I hold my professional indemnity. The data will then be securely shredded. Data will be held for longer if necessary if there is an ongoing or pending court case or complaint.


3. Electronic Data Records.

Any emails or text messages received by me to my phone number, through my Gmail account or through the website www.albapsychotherapy.ie will be managed as follows:

Email from current clients/supervisees will be printed and stored with the contact/contract form before being deleted.

Emails (sent directly to me or forwarded from other referral sources) seeking to make a first appointment or enquiring about the service I offer will be held from no more than 1 month after being responded to and then deleted. Should a first appointment take place, the emails will be printed and stored with the contact/contract sheet.

Text message(s) and phone call(s) seeking to make a first appointment or enquiring about the service I offer will be held from no more than 1 month after being responded to and then text messages will be deleted. Should a first appointment take place, the text messages/phone calls will be written out and stored with the session notes and/or contact/contract sheet.

For current clients’, text messages and phone calls will be written up and held with the notes and/or contact/contract sheet before the text message(s) is/are deleted from my smartphone.

For those attending appointments with me, their first name and phone numbers will be stored in the contact section of my smartphone but will not identify the individuals in any other way. The smartphone is password protected.


4. Access to Personal Data.

Clients have the right to access their data records via a Subject Access Request (SAR). This access will be arranged within 30 days. Clients may request the updating or correction of data held. Clients may request the return, copy or deletion of their data.  However, this is subject to legal requirements where I must hold data for a minimum of 10 years. Clients may also request that their data is sent to another data controller.  The method of sending the information will be agreed with each request/individual.


5. Data Breaches.

I will notify affected parties of any serious breach of identifiable data. This would include incidents such as theft, loss or unauthorized access by another person. The Data Protection Commission will be notified of a serious breach of data.